Does anybody knows how to troubleshoot the vpn server cisco 2821. I Turned on the debug and I received the next message.
00982: *Jan 12 17:43:14.467 PCTime: ISAKMP: encryption AES-CBC
00983: *Jan 12 17:43:14.467 PCTime: ISAKMP: hash MD5
00984: *Jan 12 17:43:14.467 PCTime: ISAKMP: default group 2
00985: *Jan 12 17:43:14.467 PCTime: ISAKMP: auth pre-share
00986: *Jan 12 17:43:14.467 PCTime: ISAKMP: life type in seconds
00987: *Jan 12 17:43:14.467 PCTime: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
00988: *Jan 12 17:43:14.467 PCTime: ISAKMP: keylength of 128
00989: *Jan 12 17:43:14.467 PCTime: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
I've tried many ways to configure the equipment ( CLI and SDM ) witout positive results.
On the first look its seems to be a Encryption Algorithm mismatch which has to be set rite to get the tunnel activated.
Along with that can you post out ur VPN Server config here ?
Hi thanks a lot. the problem was solved ...
I missconfigured a default route >:-(
At this moment I have a good tunel but I can not pass any traffic to the inside local network just the local router interface but thats all....
I still searching if you know the reason I really appreciate...
What type of traffic will not pass?
Can you ping anything on the local network, if not its a routing issue or you might have the vpn addresses the same as the local network? If you can ping then it could be a dns or wins resolution issue.
If you have Nat enabled on the local interface, make sure that you are excluding the vpn traffic from nat, I believe nat is checked before it looks for packets to be put in the vpn tunnel. The return vpn traffic maybe natted and tries to go out the public interface rather thatn inot the vpn tunnel.
here is the config at begin i tried without NAT and now I using NAT but the problem remains.
Current configuration : 5195 bytes
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxx
aaa authentication login userauthen local
aaa authorization network hw-client-groupname local
aaa session-id common
clock timezone PCTime -6
no ip source-route
ip tcp synwait-time 10
no ip bootp server
ip domain name
ip name-server 10.1.20.236
ip name-server 10.9.1.51
ip ssh time-out 60
ip ssh authentication-retries 2
crypto keyring xxxx
pre-shared-key address 0.0.0.0 0.0.0.0 key xxx
crypto isakmp policy 10
crypto isakmp policy 20
crypto isakmp client configuration group hw-client-groupname
dns 10.1.20.236 10.9.1.51
crypto isakmp profile VPNclient
match identity group hw-client-groupname
client authentication list userauthen
isakmp authorization list hw-client-groupname
client configuration address respond
crypto isakmp profile DMVPN
match identity address 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
set isakmp-profile DMVPN
crypto dynamic-map dynmap 10
set transform-set strong
set isakmp-profile VPNclient
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 10.1.21.9 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no mop enabled
ip address x.x.x.x 255.255.255.0
ip nat outside
crypto map dynmap
ip local pool ippool 10.20.21.230 10.20.21.235
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 10.0.0.0 255.0.0.0 10.1.21.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
logging trap debugging
access-list 101 deny ip 10.0.0.0 0.255.255.255 10.20.21.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip 10.0.0.0 0.255.255.255 10.20.21.0 0.0.0.255
route-map nonat permit 10
match ip address 101
Hi, It looks like you might have a routing conflict Ie network rouing sumarization possibly but not knowing the rest of your network schema I can only speculate. I see there is no routing protocol enabled on this route. Does the network know that the 10.20.21.0 subnet(vpn pool) is accessed by the 10.1.21.9 ip address on gigabit0/0.
Also looking at the default route 10.0.0.0 255.0.0.0 10.20.21.1 the packets would be sent back to this interface, thus not eaching the vpn tunnel,
I've had better luck in using a completely different subnet for the vpn pool addresses ie 192.168.1.0 for example and making sure that subnet gets routed to the correct interface, 10.1.21.9 on gig0/0. This way the possible routing protocol conflict gets eliminated.
In addition to the other post i would like to suggest to modify the static route defined in your configuration.
you have mentioned the default route pointing towards the Gig 0/1,if you know the ip address of the device which will serve as the gateway for you router you can mention up the ip address of the same.
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 x.x.x.x
where x.x.x.x is the ip address of the device which is going to serve as the gateway here.
Since this equipment is a VPN server for mobile users and Remoto SOHO's I do not know the remote IP address ( DSL's dynamic's IP ) , Now the Int Gi0/1 is the public interface pointing to Internet.
At this moment I made a couple of changes:
I disable the NAT in Both interfaces and use a subnet valid into the hole Network, setting the segments or subnets that the final users have to reach and is WORKING now .:!!!!
Is something really strange ...
Last question do you recommend to use the NAT in both interfaces..????
Thanks a lot to everyone in advance....
Hi, Since this server is being used for remote users only it sounds like nat is not required.
Nat simply takes a private addresss and converts it to a valid public based on the access-list you configure and the public pool or interface you use.
If there are no users(other than vpn users) I wouldnt configure NAT
I would however configure an inbound access list on gig0/1(Iternet interface) to allow ipsec and isakmp traffic only. (ports 50,41, and 500)
As it stands now I could potentially telnet into that public ip address(if known) and get a prompt for a password.
Just a suggestion